
Tailscale Compliance & Certifications 2026
Tailscale holds a SOC 2 Type II attestation and publishes its security policies. No FedRAMP, no FIPS module. What a security review finds, and what to request.
Tailscale Compliance verdict
Tailscale's compliance file is short, and the company says so itself.
One SOC 2 Type II attestation covers the AICPA security, availability and confidentiality criteria. The report sits behind an NDA.
A security review starts with two requests. Pull the SOC 2 Type II report from the legal page, under NDA. Read the security policies on GitHub, they are public. The unusual part is verifiability. The daemon and CLI are open source, the code itself can be audited, and Latacora does exactly that on a schedule. Federal work changes the math. Tailscale brings no ATO and no FIPS module. Plan for it to live inside an existing authorized boundary, with its traffic wrapped in FIPS-validated TLS or IPsec. NIST SP 800-18 and FIPS 199 decide which side of the boundary it sits on.
- Tailscale is not FedRAMP authorized and uses no FIPS-validated module. It is meant to sit inside a customer's existing authorized boundary.
- The headline attestation is a single SOC 2 Type II. The report is confidential and released under NDA from the legal page.
- The independent signal is open-source verifiability, the daemon and CLI on GitHub. There is no regulator listing and no review rating here.
- SOC 2
- Type II (NDA report)
- Audits
- Latacora, ongoing
- Independent
- Open-source on GitHub
- FedRAMP
- Not authorized (boundary layer)
- FIPS
- Layered, no validated module
This page covers Tailscale's compliance posture and data handling. General capabilities and deployment mechanics live on their own pages.
Tailscale certifications and the evidence behind them
| Framework | Status | Evidence to request |
|---|---|---|
| SOC 2 Type II | Certified | AICPA security, availability and confidentiality; report under NDA |
| Latacora audits | Ongoing | Independent security firm; app, network and corporate security |
| Open-source code | Auditable | tailscaled daemon and CLI public on GitHub for independent verification |
| Security policies | Public | Published on GitHub for transparency and reuse |
| HIPAA / PCI | See FAQ | Addressed in the security FAQ, not standalone certifications |
| FedRAMP | Not authorized | No ATO; usable within a scoped FedRAMP Moderate boundary |
| FIPS 140-2/3 | Not validated | No validated module; compliant via layered FIPS encryption |
Compliance evidence to request from Tailscale
| Evidence | Type | How to get it |
|---|---|---|
| SOC 2 Type II report | Report | Legal page, under NDA |
| Open-source code (tailscaled + CLI) | Source | Public on GitHub, independently auditable |
| Security policies | Document | Public on GitHub |
| Security bulletins | Disclosure | Published openly |
| DPA and subprocessor list | Document | Security FAQ and privacy policy |
What to verify before you rely on Tailscale
- There is no FedRAMP Authority to Operate; compliance depends on placing Tailscale correctly inside your own authorized boundary.
- No FIPS-validated cryptographic module is used, so FIPS compliance requires wrapping Tailscale traffic in FIPS-validated TLS or IPsec.
- The headline attestation is a single SOC 2 Type II whose report is confidential and obtained only from the legal page under NDA.
- There is no bug-bounty program, and by design the coordination server collects connection metadata including public IP addresses, which buyers with strict data-minimization needs should account for.
Tailscale Compliance FAQ
Is Tailscale FedRAMP authorized?
No, and it has no Authority to Operate. Tailscale's own guidance is that FedRAMP-certified cloud providers can still run it inside properly scoped boundaries: NIST SP 800-18 and FIPS 199 determine whether it sits inside or outside your system boundary, and where FIPS is required you wrap its traffic in FIPS-validated TLS or IPsec. In practice that makes it usable in FedRAMP Moderate environments as a layer, not as a federally authorized service in its own right.
What compliance certifications does Tailscale hold?
One headline attestation: a completed SOC 2 Type II, audited against AICPA criteria. Around it sit the ongoing audits by the security firm Latacora, security policies published openly on GitHub, and public security bulletins. HIPAA and PCI are addressed in the security FAQ rather than held as standalone certifications, and there is no FedRAMP authorization and no FIPS-validated cryptographic module.
How does Tailscale protect and handle data?
Through end-to-end WireGuard encryption. Data is encrypted point-to-point and private keys never leave their nodes, so Tailscale sees connection metadata, including the public IPs needed to link devices, but never your payload. DERP relays only forward traffic that is already encrypted and do not log it. Documented controls cover encryption at rest and in transit.
How do I get Tailscale's compliance evidence?
The SOC 2 Type II report is confidential: you request it through the legal page, which in practice means contacting support and signing an NDA. Everything else is open. The security policies live on GitHub, security bulletins are published, and the open-source code itself serves as architectural evidence. Latacora's ongoing audits add the independent third-party layer.
What should I verify before relying on Tailscale for compliance?
Start by confirming that a single SOC 2 Type II meets your bar, and read its scope and validity under NDA. If you operate in government or regulated environments, plan Tailscale as a layer inside your own FedRAMP or FIPS boundary, because it brings no ATO and no FIPS-validated module. Account for the connection metadata the coordination server collects, and note that there is no bug bounty program.
Sources & verification
| Source | What was checked | Last checked |
|---|---|---|
| Tailscale Official | Official product page | July 10, 2026 |
| GitHub Tailscale Tailscale | Independent reference | July 10, 2026 |
| Tailscale Reference Tailscale Fedramp Fips140 | Tailscale Fedramp Fips140 | July 10, 2026 |
| Tailscale Security | Security and compliance | July 10, 2026 |
Every fact on this Tailscale page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.
Explore Tailscale
Every page on Tailscale in one place, you are on compliance.
Snapshot, score and verdict
You are here
Hosting model, environments and rollout in your stack
Every tier and the entry price
Compared and ranked vs peers
Price and feature change history
Browse the full Identity & Access Management category
